Slashdot Mirror
Half of Tor Sites Compromised, Including TORMail
First time accepted submitter elysiuan writes "The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
Looks very much like the three letter agencies decided it's time now to start playing hardball.
Computer Intrusion is illegal, and the FBI knows that.
So is spying on someone without a warrant, and given that they can't know who they're spying on, I don't see how they could possibly have obtained a warrant for this action.
I hope the TOR user community sues them. Very roughly. And with extreme prejudice.
The US has gotten way too fucking big for it's britches.
I used to think maybe there was justification for the anti-terrorism attitude that the US has.
I've changed my mind.
My sympathies now lie with those who rise up against these goddamn born-again Nazis in their attempt at world domination.
You go, Al Queda!
I do not fail; I succeed at finding out what does not work.
"Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
That would include all the FBI computers used to deliver the poison, then?
Put your Tor client in a Secure Linux VM, so none of your hardware information can be exposed. Go to https://check.torproject.org/ to check if Tor is working, and make sure NoScript or something similar is enabled.
Should have invited the feds to defcon after all. Seems they got bored this weekend.
This tells me (along with the heightened "terror alert" level) that we're about to find out why the TSA has been buying up all the bullets. WW3 any day now.
I know I should be getting all upset about privacy and quoting 1984 and saying things like "slippery slope".. but I'm just too damned impressed.
I mean I think most people assumed _someone_ was trying to or had broken "the tor problem", but this is pretty damn epic, and this is one of those rare times when I actually believe they really are trying to protect the children.
So the FBI, with no particular target in mind, are using the Tor network as a line of beaters in the bush scaring out any kind of animal and hopefully only shooting the ones they are trying to find. Meanwhile, every animal is scared out of it's normal activities until the beaters have passed.
Yeah, that's not intrusive at all. No privacy compromised for anyone. And all it takes is the FBI actually infecting the Tor network with their own malware. Thank heavens they're the good guys. Oh, wait, the good guys wouldn't intentionally infect computers and networks, would they?
The "I don't like the government monitoring me" part of me objects to this, but the "Find every pedo and kill them slowly" part of me is currently winning out, because lets face it for every legitimate user of TOR, there was about 200 pedo's.
What does 8/2 mean? August 2d or 8th of February?
Kind of ambiguous...
I wonder about the legality of FBI's action here. Ok, I guess they have some kind of search order/wiretap order for "investigating pedophiles" against one specific site, but what about collateral damage? I mean they shut down an email service used by normal people as well. They did track and spy on activities on normal law abiding citizens. Did they effectively break into a big number of law abiding citizen's machines against whom no search or writetap orders were issued?
Or can FBI hack anyone at will without any legal oversight? I don't remember getting the memo where such behaviour from a government agency is legal.
Well I guess we can stop pretending we live in a law-abiding democratic world. It's an oligarchy run by the banks, the rich, lobyists and professional politicans, and scew everyone else...
--Coder
So basically, if you're legally accessing a website while browsing with Tor, making use of legal services in a legal fashion... the FBI will install a wiretap on your computer, without a warrant, in order to monitor all your activities, on the off chance that you might be up to no good. This is rather like walking out into rush hour traffic, pointing at random cars, and saying "Search that car! We know terrorists use cars, so let's start searching them all."
Dear FBI,
Fuck you. That's a terrorist's mentality. You're worse than the lowly pieces of shit you hunt, because we expected you to uphold principles of integrity, honor, and those other words you got plastered on your slimy logo that used to mean something. You are, in fact, worse than a terrorist: You're a corrupt law enforcement organization with a bigger budget than any terrorist organization out there, and you are doing more harm to this country than catching a hundred Bin Ladens could accomplish.
-_- The internet is a global and international community and you need to show some restraint, otherwise you're going to create large amounts of resentment and anger throughout the world. No wait: You already have created this. You are endangering the infrastructure and the people you are oath-bound to protect with your actions. I don't give a flying fuck through a rolling doughnut what authority or law you think gives you the right to act in this fashion... you're a public menace. You're just giving everyone who doesn't like this country piles of ammunition and sympathy from the general public that can be used to attack MY country.
Knock it the fuck off. Now.
#fuckbeta #iamslashdot #dicemustdie
Wait, wait, wait, woah, woah woah. Are you serious?
No, really, I'm not believing what I'm reading here. Is this REALLY serious?
People actually, seriously believed Tor was some sort of privacy magic bullet? A network where anyone can host an exit node, nobody knows who those exit nodes are, and there's no control on what happens at those exit nodes, and this is all by DESIGN, and people somehow thought this was impervious to surveillance and thoroughly uncompromisable? REALLY? What, did everyone just think that the government wasn't allowed to use publicly-available network services or something?
No wonder the government's getting away with everything. When people who claim to be privacy nuts are such godawfully fucktarded morons to fall for this, I guess we're pretty well doomed on that front. Wait, I've got it! Someone else suggest a private browsing mechanism over public channels! I'm SURE it'll work this time! I don't know how, but if we just keep throwing the words "anonymized" and "encrypted" in it over and over again and post about it on Slashdot, it's sure to work! Yeah!
Idiots.
I'm starting to wish governments would just get it over with and declare a permanent state of emergency. A different arm band for each person's assessed threat level, embedded RFID with skin tattoo for redundancy and mandatory iris, DNA and fingerprint sampling for all citizens. Upgrade traffic cameras with RFID readers and facial recognition software, require RFID and cellular GPS transponders on all automobiles and motorcycles and perform mandatory searches of persons and vehicles for any traffic stop. Nationalizing all ISPs, search engines, telco providers and banks would also be a smart move. Frankly I'm disappointed the government is taking this long. Guess that's democracy for ya.
Buy your next Linux PC at eightvirtues.com
People browse TOR with Javascript enabled?!? And use the same browser for non-TOR and TOR browsing?!? They fk'n deserve to get busted. Fk'n Retards.
How old is it?
First of all, use Whonix to access Tor, never the same browser you use for any other purpose.
Second, use Firefox with a JonDoFox profile which is not included in Whonix Workstation by default.
Third, go to ip-check.info and run the test on your browser. Everything should be green or yellow at the worst. If you see anything in red, fix it before you go to any questionable site. Finally, make sure you don't have any DNS Leaks in your host OS by running this test also from your regular host browser. Don't use or trust DNS from your ISP.
If you want to be extra-cautious, run the Whonix Gateway after you establish a VPN connection. Choose an offshore provider that has multi-hop technology to avoid traffic analysis. I'm using iVPN who is located in Malta.
You think the Russians and the Chinese, or Pakistanis or Nigerians will play with kid gloves? We are establishing the boundaries for the coming century of conflicts, most of which will take place in the digital realm, paying little heed to national borders or treaties. A dirty war fought with dirty weapons. A game of cat and mouse, where winner takes all, and the loser forfeits their digital secrets wholesale. He who controls the information, controls the world. The US is best placed to take the lead, they cannot give up their technological and logistical edge. It's a battle to ensure the world is safe for democracy and capitalism - in other words, to make the world safe for America. It's a golden time to be a contractor.
We're half way there.
Yesterday I made a posting on CNN regarding the story about the heightened terrorist threat alert. While it covers a different subject, I could re-write it to fit this situation, but I think the slashdot crowd will get my drift, here is a direct copy\paste:
I do not know who to trust or what to think anymore. If this threat is real or not, I imagine we are intended to suppose that it was the US governments blanket surveillance of the world, including domestic spying that tipped them off. On the other hand, the timing is such (Snowden/Manning) that for all I know they made the whole thing up to better justify government wrongdoing in the eyes of the people. Or perhaps al Qaeda made the whole thing up just to see if they can manipulate the movements of our government by taking advantage of info gathering with a campaign of false intel. I don't know who to trust or what to think anymore, with the exception that I know I don't trust my own government. They have proven themselves manipulative liars.
Brought to you by Carl's Junior.
I don't see how this affects Bitcoin at all. It's not an exploit of Bitcoin. Bitcoin isn't dependent on any onion sites, "Freedom Hosting", or Tor. The Silk Road are not the only users of Bitcoin.
Anonymousse Leejun and the associated operations are mostly a bunch of kids that get manipulated by Al Quaeda, etc....
Thoses people don't think by themselves.
It goes without saying that if the US government is so paranoid and afraid that it'll tap your god damn Facebook profile, then it is going to be hell bent on trying to get at Darknets, anonymising services and Tor.
Abuse of power comes as no surprise.
against our "stout" principles. I'm a libertarian leaning type of guy, that said... I abhor child abuse and especially child sexual abuse, it should be an automatic death sentence, so if they got even one fucking child rapist, I somehow find myself turning a blind eye to this obvious subversion of personal rights.
EFF in the White house, ASAP please.
I understand there's a legitimate need to conduct surveillance when justified. But having people from the EFF and/or ACLU running, or at least supervising things will likely act as a filter to prevent further abuses and level the playing field.
Nothing is enough for whom enough is too little - Confucius
Where are people getting this HALF figure from? That is entirely untrue.
You know, the people who attacked us on 9/11/2001, and prior to that as well have one objective: Destroy our way of life.
I guess they don't like how we live, or something, I know it has a lot to do with us messing around in the Middle East, but that all aside, one of thier main objectives is to trash our way of life.
Winning! Very much winning, they don't even need to fire a shot, or sacrifice any more people. Our way of life is nicely ruined and getting worse by the day because of our fear of terrorists and just how far we're willing to go in the name of 'protecting ourselves.' Trouble is.. who is gunna protect us from those protecting us? Cuz they're running totally out of control now.
There are acceptable ways for combating criminal and terrorist activity, but this is not one of them. Combating criminal behavior with.. uh, more criminal behavior isn't exactly a time proven method of deterring crime. America's government and law enforcement are becoming as evil as the enemy they mean to stop. Those responsible for this attack on a third party site, REGARDLESS of reason, should be prosecuted to the fullest extent of the law.
But the 'terrorists' are winning with every freedom lost, every outrage committed. Good job America, keep playing right in their hands.
not-so-anonymous as the label might suggest; but well, here goes.
There is a redundant recirculating rumor about the intarwebs that $fed_agency (TSA, FBI, INS, DEA, DHS... the list really does go on forever almost like Pi) is buying up all the ammo on the common market; and that in reaction to this we should 'get ammo while we still can'... completely bogus! Yes, they do purchase ammo, but our total national manufacturing cpacity for ammo, plus that of all the other ammo manufacturing nations; has for decades since WWII and Korea far outstripped the total commercial demand.
Most agencies purchase ammo in yearly contract volumes, which quanities are produced to meet those contracts and thus hav very miniscule impact on global availability of commercial civilian ammunition.
Futhermore, the reactionary buying happens in a scale so as to completely dwarf these contracts and any individual purchases by $fed_agents, such that the reactionary buying actually drives prices up (at the RETAILERS) and makes ammo more expensive for us all.
As Granpa says; "Don't whine at me about a problem unless you have a solution."
Simple solution:
1.Get a used reloading kit for the munitions you need.
2. learn to use a crucible and molds for projectiles - it is not rocket science to make better (better = more precise tolerances, lower drag co-efficient, improved terminal preformance) projectiles than those commercially available. (another good use for 3D printer in making precision molds)
3. learn some fundamental turn of the 20th century chemistry into the production of nitric acids from farm wastes (ie chickenshit), and learn, practice, and apply qualitative analysis to your small batches of 'blackpowder' or 'smokeless blackpowder' - or upgrade into nitrocellulose. (have a granpa or other old timer chemist teach you how to do this safely, mork away from your home, work in small quantities, dont store loose propellants in any quantity - fresher is better, have enough ammo to buy yourself the time to make more when you need it, beyond that is's just sitting going stale)
4. never hafta buy ammo again, simply use reloadable brass or use a small CnC lathe to turn out non-reloadable stainless casings.
I dont know what local regulations may be in place to prohibit any steps of this process in your home 'jurisdicktion' : but a fake sense of shortage of commercial ammo; and the ensuing price gouging by the RETAILER in your neighborhood isnt doing anything but separate the afraid and gullible from cash.
The total cost of everything to do this, excepting maybe the 3d printer, is lower than you might expect. The reason this approach isnt the normative practice around the world is that there IS NO SHORTAGE OF AMMUNITION! But If there were, it takes less than a day to set up a workshop to do this, another couple days for the extraction and purification of nitric acid / potassium compounds, a weekend of foundry, reloading, and quality control test firing - and bingo, the ability to manufacture small batches of high precision ammo for legal use!
If the execuse is not pedophiles, it's terrorists, or drug cartels. All of you fucks who chose safety over freedom, enjoy the world you have made.
Who else is stuck using a derivative of Firefox 17 other than Debian users of Iceweasel?
I have operated a Tor hidden service. It was a test, and I ran it for a few minutes. Was this included in the "half of Tor sites"? I can generate as many hidden services as I want: its really easy.
This seems to be no more that people were miss using Tor, and thus it failing to work for them, in combination with some hidden service providers not being trust worth (and you shouldn't trust them anyway).
How Tor works: 1) you anonymously connect. 2) you give out your true identity to an un-trusted party 3) You fucked up.
Using Tor to anonymously do things isn't trivial. It only removes one way to leak your identity, there are tons of others.
That said, the fact that the attacker here is the FBI is interesting. What this should be titled: FBI illegally hacks TOR noobs.
It's the freaking FBI. That's not exactly a secret rogue agency. FBI director Mueller briefs Obama directly. Technically, Clapper is Mulleur's boss, and Obama is Clapper's boss. That's ONE GUY in the chain of command between Obama and the FBI.
I would use Tor only on a netbook with no HD, booting from an internal read-only USB stick off the webcam USB line (I would want no webcam anyway) into a preconfigured Linux (or *BSD just to maximize obscurity). The actual boot partition would be encrypted. A text-mode browser like lynx would deal with javascript and other nonsense thoroughly. I would use it only on public or otherwise free or available networks not connected in any way to me. I would make sure the WiFi card would use a fresh random MAC for every connection. External USB and Ethernet ports would be physically disconnected or glued shut and the case sealed. It would have a switch soldered in to disconnect battery power.
I'm too lazy for that though.
I think it is very hard to believe that TOR mistakenly released a single version of their TOR browser with javascript conveniently activated. I wouldn't be surprised there was a concerted operation with FBI to reduce child porn on the TOR network. Actually, they could be legally coerced into doing exactly that.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
And another thing..... Always remember to disconnect from the internet.
TOR networks will always be compromised by the DENIAL OF REALITY attacks on all its faithful users:
the truth is out there, we are NOT alone!
Stop believing in fairy tales - there is no privacy.
1.) have you also cut the microphone ? (voice identification) / yes freebsd has support for various sondcards
2.) is sendmail running ? (just install a fresh FreeBSD and portscan and be supprised) (exploitable point of intrusion, by zero day)
3.) Hardware unique identifiers, serialnumbers (pci(e) - take a deeper look at your windows control center) , mac addresses .. yes fresh fakeable, but ! the macadress contains vendor information! and needs a reboot most likely after every change
4.) USB-Stick -> serialnumber of sdcards & usb-sticks ?
5.) soldered in to disconnect (that's worse than the controlled selfkill of truecrypt, because your memory contains the data for at least 7 more minutes
(freeze ram forensics)
6.) no hdd bad, flash memory is harder to delete than hdd (and fakes sometimes a delete to speed up)
7.) public networks, triangulation(signal strength) + cctv and zoom in on your face ( have you also turned your phone off ? .. well all 99% others around you haven't bingo!)
We got lots of evidence (more than enough to show probable cause) showing Obama gave orders to large groups within Federal Government in Homeland Security and FBI to lead local/state police on the ground in sweeping out all the Occupy groups in late night raids when nobody would be watching on TV.
It was highly illegal for Obama to give orders to Federal Government personnel to lead local police against those protesters. It's was made legal later after Obama had gone after Occupy protesters.
If only half the systems are infected, then the remainder are just in DENIAL.
If you sail on the ship of fools it doesn't matter how safe and secure you feel - the ocean gets you wet, one way or another.
somehow get firefox to NOT use the configured socks proxy?
javascript can do that?
-
if you block all requests TO port 80 going out your router, that is block a regular firefox
from accessing normal websites, this won't work?
only way to access the web (port80) is thus thru a local tor-server (that is behind the router).
or block (on router) all outgoing requests coming FROM the (internal) ip address on which the firefox is running and
only allowing outgoing request (to port 80) from the ip on which the tor-server is running?
purple blue green yellow
Actually, these secret courts started in 1978
If you're using the same browser profile for tor and anything else, then YOU'RE FUCKING STUPID.
If you're using tor to do anything legally questionable, and you're letting persistent cookies be set, YOU'RE FUCKING STUPID. If you also have have javascript enabled, then YOU'RE REALLY FUCKING STUPID.
Unless there's something they're not telling us, this is just another case of harvesting some low hanging fruit. Specifically: lazy stupid assholes who don't know any better or just don't care.
http://www.ask.com/question/what-is-the-penalty-for-opening-someone-else-mail. 5 Years times, say a billion a day.
FISA allows the executive, under the direction of the president, to apply for a secret search warrant from a confidential court. That's the extent of the "secrecy" there is any evidence of in the judicial branch.
That court, like any other, can approve the warrant requested by the administration. I've seen no evidence, or even any claim other than yours, that the courts in any way direct the executive agencies. Do you have anything, anything at all, to support your novel and extravagant claims? If not, doesn't it make much more sense to focus our energies on the well known and currently very visible fact that the executive is trampling the Constitution?
Wow. That's a whole lot of stupid you've got there. Does that hurt at all?
Wasn't TOR set up and funded by the US gov? Did they change their mind or was it always just a honeypot?
Good thing I use a clean-state VM for darknet surfing...with JS disabled, along with most every other feature beyond regular HTML rendering.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Would you care to identify someone who has already been "identified" as opening the floodgates to the "Leucosphere" (Anglosphere and Europe) other than Emmanuel Celler? Name the Jews responsible for opening Canada, UK, Australia and New Zealand? Germany had an asylum clause hard-wired into their Grundgesetz ("Basic Law" i.e. their constitution) as a countermeasure for Nazi activity). I guess the USA, UK and France were responsible for that. I can't see Russia (USSR at the time) as responsible for making East Germany so Jew-friendly as West Germany was at that time.
There seemed to be a brief moment of quickened conscience on the part of the civilized world after WW2. That led to the opening of borders in the 1960's. That relieved pressure for the third world to change.
What it all comes down to is that YOU can't compete against them wiley third worlders, right? They act as collectives, reserving opportunities for themselves while you as a white individual are compelled to exist and compete as an INDIVIDUAL. Whiteness has atomized you. It's you versus Creator and Creation. The only privilege you have is that when your tail light is dark, the cop will let you off with a warning to change the lamp and not issue a citation for failure to maintain. That does not guarantee sinecure employment anymore and thou art peeved!
Eschew white privilege and get your Gurdwara-shooting 14-88 tattooed fake Aryan ass out there and sledge, slave, and run yourself into the ground to COMPETE against us Protected Class People (i.e. Kikes, Wetbacks, Fourteenth Amendment Humanoids, Gooks, Jeeves and Terrorists, in short EVERYONE ELSE), SCIENCE DAMN IT!
Jesus is coming back to reign and rule over this rock. He must be the JEW you hate the most. Ha-Ha! Behold the one-man Jewish conspiracy!
"The kingdoms of this world have now become the kingdoms of our God and of his Anointed One." Apocalypse 11:15
--
If I have not pushed buttons, I have not DONE my JOB!
So what happened to assumed innocent and targeted court orders? Just because TOR can be used in bad ways doesn't mean you have to.
If they do this, why not just track every car and what is in it? Mount GPS and cameras in every car.
---- Booth was a patriot ----
I imagine that the major projects (Debian, Fedora) get adequate security review to trust that the binaries actually match the sources; and tat the sources are reviewed by many eyes. For a little known distro like Whonix -- why would you think you can trust that the binary doesn't have backdoors installed by the people who put it together. I find it quite possible that many intel agencies would benefit by putting together their own privacy-tools with backdoors. How can you be confident that this one isn't one. (Personally I'm guessing you're safest using either Debian or Fedora (NOT Ubuntu or RHEL) and configuring it yourself.)
There's a pretty good unwrapping of the payload here, and it's a pretty creative exploit of the javascript interpreter to execute shellcode. Just from a glance at the shellcode, I see a hand-crafted HTTP header so at minimum they're using the OS network stack directly to give the tor-level UUID a public IP coorelation. Beyond that, they could be doing anything since they're already through the sandbox.
As long as you keep telling yourself that it's about Obama, you're just another part of the problem, not the solution. Occupy was and is a complete joke, you're all simply looking for a pansy completely ignoring the fact that whoever is in office is just a puppet, a face for a PR campaign.
Read the post you replied to again, and this time try to understand it is about you, your neighbours, your family, your employer and employees, not about Obama or whoever is the popular evil puppet of the month.
1 - You need proof that you were infected
2 - You need proof THEY did it
3 - Do you really want to be on *that* list?
---- Booth was a patriot ----
0-day Javascript attack against Firefox 17? but Firefox 22 is the current version. who uses Tor sites with Javascript enabled anyways? just asking.
I'm pretty sure the FBI was moved under the Director of National Intelligence in 2004. Has it changed since then? In any event, the point stands - the FBI isn't a secret agency. They report to Obama through one intermediate person.
That sounds like the administration is doing whatever they want with zero interference from the FISA court. So, pretty much the opposite of what of the court controlling the agencies as GP claimed
Things don't add up in the story they're giving. LC had absolutely nothing on OPVA, and OPVA's still here (either its a government op like PedoBoard was, or the government isn't tellung us everything) My guess? FH had something the government really didn't want out there, and the fact that there was a bit of kiddy porn on it makes a great cover story for burying whatever it was they wanted gone. Oh, and this winnt only+old firefox only+javascript only hack? Funny how nobody can actually figure out what the payload is. My guess is there isn't a payload: the government's already figured out who they're rounding up on this (possibly through some other TOR crack) and is going to use this "exploit" as a cover story to hide their real capability a bit longer.
We all came from Noah, dumbfuck. We are ALL jews!!!!!!
If you have any pride, your only choice now is suicide.
OK, so why the hell doesn't someone take the five minutes to add some code to Tor that would strip out client-side scripting? It's not that hard; plenty of other secure networks do it (ex. Freenet) so why the hell doesn't Tor? I mean yeah, I get it, they give you ample warnings before you download, but is there any legitimate reason they don't do this or have they just decided they don't want to try to stop this kind of attack?
Or perhaps al Qaeda made the whole thing up just to see if they can manipulate the movements of our government by taking advantage of info gathering with a campaign of false intel.
The thought of a deliberate leak by terrorists to test American reactions crossed my mind too.
It also crossed my mind that it might have been a real terrorist plot with a deliberate leak, but with a built-in understanding that the plot was to be scrubbed or rescheduled if America took any noticeable counter-measures, such as closing an embassy.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Only TOR's modified version of Iceweasel 17 is at risk -- the ESR version in Debian's repo already has the patch.
Still, people using Debian's repos might want to take the time to grab another version from another repository or distro just for peace of mind. From apt-cache policy on my system (Simply Mepis 12, which is close enough to Debian that their repos are compatible):
iceweasel Version table:
22.0 -------- http://ftp.us.debian.org/debian/ experimental/main i386 Packages
19.0.2 -------- ftp://ftp.mepis.com/mepis/ mepis-12.0/main i386 Packages
17.0.7esr ----- http://ftp.us.debian.org/debian/ unstable/main i386 Packages
While I'm happy for the attack against pedo's, this is a warning for people using Tor for more honorable reasons:
The people are mentioning that this requires javascript and the Tor bundled browser are somewhat missing the point. That this might not be admissible evidence is also besides the point. The fact is, potentially anyone on the deep web could use attacks this way to reveal true identities. A zero day could be used that affects other browsers regardless of javascript, or perhaps non browser based exploits (irc clients, email etc).
To be perfectly protected (outside of Tor itself being compromised), use 2 VMs (or two boxes):
One runs linux and the Tor software with 2 network interfaces on seperate networks.
One interface connects to the internet, the other to some non private net.
Enable forwarding.
Use iptables to force all traffic except the Tor executable through the Tor transparent proxy port on the linux machine.
Don't allow access to any services from anywhere - use console to manage it, and don't use it for anything else.
On a second VM, connect it to the non routable interface on the Linux VM and install whatever OS you want (preferably something different).
Set its default route to be the private Linux VM address.
Never ever put any information that can be linked back to your real identity into the VMs.
Never transfer files between the VMs and other machines linked to you.
Now all of the second VMs traffic is transparently sent thru Tor, it has no route outside of Tor, and no ability to control Tor - so even if it is exploited it cannot communicate directly anywhere. The second VM would need to be compromised, then the first also compromised for traffic to be sent raw.
I've probably missed something, but that's the idea. Running Tor on the same machine you want to be anonymous on is just bad.
"Find every pedo and kill them slowly"
Mother nature is killing us all slowly. I figure I've got decades, maybe a century, tops, before she finishes the job.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
No no no, you don't understand. That 100% rate just proves how good and trustworthy the whole secret system is!
This is the most surprising story I've ever read. I'm all about the feds finally growing some balls and using whatever techniques necessary to arrest some scumbags but this could easily be the tip of the iceberg given all the NSA crap going on. If they feel like they can do anything, they will and it's a slippery slope. In this particular case, I'm glad they finally stopped letting those losers hide behind legal BS.
BUT, seriously, who the hell would use TOR on a browser and then use it for non-tor stuff? I didn't know that was even possible given how the tor browser bundle works. This is seriously going to catch like zero people, lol. But A+ for effort. Then again, some pedos are notoriously dumb.
I'm kinda mad that tormail is down though. That was a huge privacy/anti-NSA tool. Obviously they took that down on purpose as "collateral" just so it's gone. That sucks.
Say it with me now: when Obama does it, it's ok.
See?? Now you can drink the Obama coolaid too.
Because it is not like Obama is so incompetent as to not watch the executive branch of government. And it's not like Obama is such a traitor that he'd be tried by the American people.
So just say it in your mind: it's ok when Obama does it.
We're now in the age of Big Data crime enforcement, where to be abnormal, in the sense of deviating too far from the median/norm is all it takes to be flagged as a suspect. The danger I see in the future is that, in order to avoid being caught in the net of the federal surveillance agencies people will deliberately start acting within the "norm", like visiting the sites online, Facebook/Twitter/G-something for your communication needs, or CNN/Fox/BBC for your "news", or whatever local site is "popular" in your area. To have an opinion will be to choose from an approved list, much like a multiple-choice exam or, worse, like the presidential election.
But this is one reason why I2P is so much better than TOR: There is next-to-zero expectation from I2P sites for you to allow Javascript.
OTOH, Javascript is turned on by default in the TORBrowser.
Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled
Is this like an American August 2nd, or a rest-of-the-world 8 February?
And no, I did not RTFA. Worried that the FBI would be tracking everybody who is even interested in this news.
The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.
This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here, complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Cool, they also chose the proper posture for the eagle.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
I think there is a practical difference between a 2-party system and a n-party system where n > 2. It's not what you think, though, and I'm not sure which one is really better in practice.
At least from my observations, a two-party system produces heavy polarization. Nowhere have I seen such a polarization as the one in US between Democrats and Republicans. Everyone is sure that their POV is the good one and cannot comprehend how someone can possibly support the other party. As you say, you can choose your flavor of police state.
A system of three roughly equally big parties, however, seems to emphasize consensus. As none of the three parties can hope to form a government alone, they will need to secure the cooperation of at least one of the two other. None of them can afford to become the lone different party, because that would just result always in the other two parties forming a government (unless the winning party manages to persuade enough smaller parties to join a coalition government with the two other parties left out). The result is that you have three basically identical parties that are more or less only differentiated by how they market themselves. Of course there are politicians in the parties that would like to be different, but in order to secure a government with another of the parties, you will need to make concessions, which usually excludes the points of view that are unique to one party.
So, the end result is that you can choose from three flavors which are not really that different. Not that consensus policymaking would necessarily be bad - it's not.
In my country a fourth big party has recently emerged. It will be interesting to see how this affects the dynamics as we've only seen something like two elections where this was the case.
Of course it also depends on the system used in elections. I think the US-style "winner takes it all" system basically forces only two big parties to emerge.
Still, as someone who lives in a country with more than two big parties, I don't think I'd ever want to see a government effectively controlled by only a single party, not for any period of time.
There is no war on terror. It's all just media propaganda. There has not been a single major terrorist attack the last 100 years which was not a false-flag attack. If you still haven't figured out that 9/11 was an inside job then consider this: There's hundreds of videos and pictures who clearly show massive steel beams being thrown up and away during the _demolition_ of WTC 1 and 2. The official story is that gravity made these buildings come down. Gravity does not make things fall up. Try dropping something and check it out for yourself. You're in a fascist dictatorship with an illusion of freedom, just like everyone else within the NATO alliance.
9/11: Never forget it was a false-flag operation
This is already the case. If you write something which goes against government propaganda in Norway (and other NATO countries) then the government tortures you. It's already dangerous to have opinions different from the government approved list. I know a lot of people here will violently oppose this truth, but deal with it: we have to truthfully asses the current situation in order to improve it, and improvement really is needed. Free speech is a nice theory that I would like to see become practice.
9/11: Never forget it was a false-flag operation
The whole thing sounds weird to me. My "white" friend Kristi is darker in color than my "black" wife. When "white" is a darker color than than "black" there might be something wrong with that labeling.
Why, after all this time is java still a security hole ridden POS? and good luck getting it fixed NOW that it's the NSAs' bitch. I'll freely admit that my coding days are over, by why are people choosing java these days? At the end of the day when you tally up the "good" vs "bad" points, how does Java still get chosen? Do the benefits really outweigh getting pwnd? And yeah, we can talk about firefox and about how it shipped disabled, but this is NOT a firefox issue AFAIK. There's a 900 lb gorilla in the room, let's build a better gun, not a better room.
Is this related to Outsourcing to CHINDIA?
Casteism
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
The vulnerability was fixed in firefox 17.0.7 ESR. The current Tails 0.19 uses Iceweasel 17.0.7esr + Torbrowser patches and so should not be vulnerable.
Furthermore the js exits if it does not find "Windows NT" in the user agent string, most likely because the memory heap spray only works on Windows OS (I assume).
It's a tor site.
I wish a day went by when I did not feel even more ashamed of my country.
https://news.ycombinator.com/item?id=6161420
> you can check Wikipedia etc. for confirmation
... until the Intelligence Reform and Terrorism Prevention Act of 2004 was enacted in response to the September 11 attacks. Since then, the director reports to the Director of National Intelligence, who in turn reports to the President.
Wikipedia says you're wrong, I'm right. Quoting Wikipedia:
You might be right, but the source you mentioned says I'm right.
I sometimes wonder about these "security" or "privacy" based distributions.
Maybe it's just the paranoid in me, but wouldn't they be an easy target for honeypots? Also, how do they get updates, etc.
Would anyone explain how the exploit manages to bypass DEP/NX protection?